Keep Domestic Cybersecurity Efforts in Civilian Hands

Last night the House of Representatives passed HR 3523, the Cyber Intelligence Sharing and Protection Act, or CISPA. We’ve written about the many privacy problems with this bill, but here I would like to focus on one of its biggest and most fundamental flaws: it empowers the military, including agencies like the NSA, to collect the internet records of Americans’ everyday internet use.

It is a long-established principle that the military is not permitted to spy on Americans . Authorizing the NSA to turn its powerful eavesdropping apparatus on Americans would pose a significant threat to our privacy and a major departure from our values. Even in the wake of the September 11 attacks and the many rewrites of our surveillance laws over the last decade, Congress has never turned the NSA loose on the internet without even minimal court and congressional oversight. Yet, that’s exactly what the House has now passed.

While we have some bones to pick with the Obama administration over privacy issues, they have been strongly supporting the principle of keeping domestic cybersecurity programs in civilian hands. Although Congress seems intent on ignoring it, the Administration has consistently sent this message to Congress over the last year:

•DHS Secretary Napolitano testified before the Senate Committee on Homeland Security and Government Affairs that the administration supports legislation that designates a civilian government agency such as DHS as the lead agency in the government’s cybersecurity efforts.

•The administration transferred a program called the Defense Industrial Base (DIB) Exploratory Cybersecurity Initiative (DIB Opt-In Pilot) (under which the federal government shares classified signatures and other cybersecurity information with defense contractors) out of the Pentagon and into DHS. In February 2012, Secretary Napolitano told Congress that the Administration transferred control of the DBI Pilot to DHS because as a civilian agency, existing laws and authorities make DHS better situated to coordinate this type of information sharing program with the private sector. If a civilian agency is best suited to administer program focused on sharing classified data with defense contractors that build military weapons systems, then it is certainly best suited to coordinate the cybersecurity and information sharing efforts of the federal government on domestic, civilian networks.

•When the White House wrote its own cybersecurity bill last year, it made the Department of Homeland Security the lead agency to coordinate government cybersecurity and related information sharing efforts. This proposal was the result of an extensive interagency process. Of course, this would not prevent DHS from relying on NSA expertise; they have long done so and DHS already has access to the cybersecurity capabilities and assistance that the NSA can provide, pursuant to a Memorandum of Agreement that both agencies signed in 2010. Under this agreement, the NSA is authorized to provide DHS any assistance or access to its capabilities that DHS requires in order to carry out its cybersecurity responsibilities.

•Perhaps most signficantly, the administration cited the principle of civilian control in issuing its veto threat Wednesday over CISPA . The administration declared that “H.R. 3523 effectively treats domestic cybersecurity as an intelligence activity and thus, significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres.”

Any claims that DHS or other civilian agencies aren’t capable of handling cybersecurity are belied by comments to the contrary by officials from within the military establishment itself. Current and former high-ranking officials from the Department of Defense have stated publicly that DHS, and not DoD, should be the lead agency directing government cybersecurity efforts.

For example, Eric Rosenbach, deputy assistant secretary of Defense for Cyber Policy in the Department of Defense, said at the annual RSA Security Conference in February, that a civilian agency and not an agency within DoD should be responsible for securing the domestic, civilian internet. “It’s almost certainly not the right approach for the United States of America to have a foreign intelligence focus on domestic networks, doing something that throughout history has been a domestic function,” he said. “But that doesn’t mean that DoD and NSA don’t play in the game,” he added. “We’re more the supporting effort.” And even former CIA and NSA Director Michael Hayden, who has been an outspoken proponent for appointing the NSA as the government’s lead agency for cybersecurity, has acknowledged that the NSA could assist in the cybersecurity effort under DHS leadership.

Sadly, the House Rules Committee did not permit a vote on amendments offered by Rep. Jan Schakowsky and Rep. Bennie Thompson that would have ensured that domestic cyber information collection be housed civilian agencies. To prevent the NSA from collecting our internet records in the name of cybersecurity, the only thing left for Congress to do is say ‘no’ to CISPA.